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A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
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Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )^l Responsive to communication(s) filed on 16 February 2010 . 
2a )^ This action is FINAL. 2b)0 This action is non-final. 

3) Q Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 
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allowed. 
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DETAILED ACTION 



Response to Amendment 

This office action is responsive to Applicant's amendment and remarks received 
on 2/16/2010. Claims 105,107, 109-115, 117-118, 127-130, 133-156, 159, 162-166, and 
168-169, 171-172, 174-175,177-178, and 180-193 are pending. 



Allowable Subject Matter 

Claims 105,107, 109-115, 117, 118, 127-130, 133-151, 168-169, 171-172, 174-175, 177- 
178, and 186-193 are allowed. 

Claims 182 and 185 are objected to as being dependent upon a rejected base claim, but 
would be allowable if rewritten in independent form including all of the limitations of the base 
claim and any intervening claims. 

Response to Arguments 

Applicant's arguments filed on February 1, 2010 have been fully considered but 
they are not persuasive because of the following reasons: 
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Regarding Claims 152-156, 159, 162-166, and 180-185 applicant argued that the 
Applicant disagrees with these rejections, at least for the reasons set forth in the 
previous response. Kouznetsov's analyzer 19 waits for system calls to b made by the 
code under investigation, and then intercepts/analyzes such calls, while the method of 
claim 152 and 159 selects an active program, executes each of the recited first and 
second, plurality of detections routines, and, upon completion, categorizes the code 
under investigation using results of the executed detection routines" 

This is not found persuasive. The cited system clearly teaches and describes a 
dynamic computer virus detection system that monitors runtime state within defined 
computing environment, and tracks sequence of execution of monitored execution for 
each application. A histogram describing the occurrence of specific execution event 
sequence characteristic of computer virus behavior for each application, is also created 
(Kouzentsov: col. 5, line 18 to col. 6, line 30, and Chess: col. 5, line 55 to col. 6, line 35). 

Therefore, the examiner asserts that cited prior art(s) does teach or suggest a 
method and apparatus for detecting malicious code in an information handling system 
as recited in independent and dependent claims. Accordingly, rejections for claims 152- 
156, 159, 162-166, 180-181 , andl 83-1 84 are respectfully maintained. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 152-156, 159, 162-166, 180-181 , and, 183-1 84 are rejected under 35 
U.S.C. 103(a) as being unpatentable over Kouznetsov, (U.S. Patent No. 6,973,577), in 
view of Chess et al., (U.S. Patent No. 6,772,346 and Chess hereinafter). 

1 . Regarding claims 152, and 159 Kouznetsov discloses a computer-implemented 
method comprising: 

the program is running on an operating system of the computer system (col. 5, 
lines 18-65 and col. 6, lines 1-30, and (i.e., wherein code under investigation is each of 
the incoming system calls 91 ,92, and 93 generated by the applications 33, 34, and 35 
(shown in figure 2)); and 

executing each of a first and second plurality of detection routines on the 
operating system of the computer system (i.e., static analyzer 52 and dynamic analyzer 
53) (col. 4, lines 47-58), 
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system of the computer system to gather information about the first program, 
wherein the first plurality of detection routines are executable to detect information 
about the first program that is indicative of valid code, and wherein the second plurality 
of detection routines are executable to detect information about the first program that is 
indicative of malicious code weight results of the first and second pluralities of detection 
routines; (i.e., static analyzer 52 performs behavior checking and generates alerts and 
histograms only if patterns of suspicious events are observed. Dynamic analyzer 53 
analyzes histograms and identifies behavioral repetitions within the histograms which 
indicate behavior characteristic of a computer virus/compromise) (col. 4, lines 38-67 and 
col. 5, lines 1-7); 

use the weighted result (i.e., the results indicated by static analyzer 52 and 
dynamic analyzer 53) to categorize the code under investigation with respect to the 
likelihood of the code under investigation compromising the security of the computer 
system (i.e., computer viruses are self-replicating program code which often carry 
malicious and sometimes destructive payloads and "malware" can include Trojan 
horses, hoaxes, and spam mail - col. 1, lines 45-48)(col. 5, lines 18-67 and col. 6, lines 
1-30); 

use the weighted result to categorize the code under investigation with respect to 
the likelihood of the code under investigation compromising the security of the computer 
system (i.e., computer viruses are self-replicating program code which often carry 
malicious and sometimes destructive payloads and "malware" can be categorized in the 
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following: Trojan horses, hoaxes, and spam mail - col. 1, lines 45-48) (col. 5, lines 18-67 
and col. 6, lines 1-30). 

Kouznetsov does not explicitly disclose a functionality that result/determines the 
monitored result/code under investigation as valid/non-malicious code. 

However, Chess discloses applying a detection routine to the code under 
investigation to obtain a result, weighting such result to obtain a first score indicative of 
whether the code under investigation has characteristics and/or behaviors typically 
associated with malicious code with valid code (i.e., files determined to be non- 
malicious)^!. 5, lines 55-67 and col. 6, lines 1-21), and applying a second detection 
routine to the code under investigation to obtain a second result, weighting such second 
result to obtain a second score indicative of whether the code under investigation has 
characteristics and/or behaviors typically associated with malicious code (col. 6, lines 
19-29); 

Chess further discloses upon completing the executing of the first and second 
plurality of detection routines, using the first and/or second scores to categorize the 
code under investigation with respect to the likelihood of the code under investigation 
compromising the security of the computer system (i.e., the filtering step may include 
the steps of determining whether a file contains known malicious code that is correctly 
handled by an existing protection definition)(col. 5, lines 55-67 and col. 6, lines 1-35). 

Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time of applicant's invention to modify teachings of Kouznetsov with teachings of 
Chess because it would allow scoring/determining the monitored events/code under 
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investigation as valid/non-malicious and invalid/malicious code as disclosed by Chess. 
One of ordinary skill in the art would have been motivated by the suggestion of Chess to 
filter out undesirable mails (i.e., files) from client inboxes (Chess, col. 9, lines 23-30). 

2. Regarding claims 153-156, and 162-166, Kouzentsov discloses determining 
from the score (i.e., repetitions of suspicious behavioral patterns) that the code under 
investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 63-67 and col. 7, 
lines 1-10). 

Chess further discloses wherein the determination that the code under 
investigation is malicious code is based on the first score not exceeding a valid code 
threshold value (i.e., matches between code under investigation and the records of 
database 210 of known non-malicious files) and the second score exceeding a 
malicious code threshold value (i.e., matches between code under investigation and the 
records of database 220 of known malicious code descriptions) (col. 6, lines 5-35). 
Chess further discloses clustering files within each classification by using a code- 
similarity metric to determine the similarity of the possibly-malicious code in each file to 
the corresponding code in the other files and grouping together those files which are 
closest according to the metric (col. 7, lines 33-46). 

3. Regarding claim 1 80-1 81 , 1 83-1 84, Kouzentsov discloses wherein: 

each of the detection routines within the first and second plurality of detection routines 
gathers a different type of information about the code under investigation, and wherein the 
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first and second pluralities of detection routines are not themselves running on the operating 
system of the computer system in a manner that prevents the code under investigation from 
infecting the computer system (col. 4, line 38 to col. 6, line30). 

there is at least one detection routine within the collective first and second 
pluralities of detection routines that, when executed, obtains information about the code 
under investigation by accessing the operating system of the computer system via an 
API of the operating system (col. 4, line 38 to col. 6, Iine30). 

the first and second pluralities of detection routines collectively include a first 
detection routine that determines a behavior of the code under investigation and a 
second detection routine that determines a characteristic of the code under investigation 
(Kouzentsov: col. 5, line 18 to col. 6, Iine30, and Chess: col. 5, line 55 to col. 6, line 35). 



Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
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CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SYED ZIA whose telephone number is (571)272-3798. The 
examiner can normally be reached on 9:00 to 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, William R. Korzuch can be reached on 571-272-7589. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

sz 

May 15,2010 

/Syed Zia/ 

Primary Examiner, Art Unit 243 1 



